Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Material Attached.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Material Attached.exe
Resource
win10v2004-20240611-en
General
-
Target
Material Attached.exe
-
Size
983KB
-
MD5
a7a11d7dc16fef60c09830725b1d70f5
-
SHA1
c351ed457dd5855594b7def5804fbd785dfcb370
-
SHA256
247231562ac357a1ccf0770b35d4bd7b140a98e677b1a31f825ba9d020e51eb0
-
SHA512
054328aa10643e97b8b04e0190332d1a8b4dab3f7cd0116cb7cfff3145ef99e17fcccf2080586671483b5f942246f4d2d0e2c30633909231418f8008ed264cbe
-
SSDEEP
12288:map8vZ89HTpiwVuWcWzDSVYFCVmKVa9FcxSPBk4mO/mKU6S+P4g0H6qx/gup+5Ac:m6kLwA7WzsnQSSPBPm+7hw7sejpLAtEg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
webmail.standardengg-works.com - Port:
587 - Username:
[email protected] - Password:
welcomesew42ac - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 4292 powershell.exe 4296 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Material Attached.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Material Attached.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VmkjVd = "C:\\Users\\Admin\\AppData\\Roaming\\VmkjVd\\VmkjVd.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 api.ipify.org 24 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Material Attached.exedescription pid Process procid_target PID 1852 set thread context of 3768 1852 Material Attached.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Material Attached.exepowershell.exepowershell.exeRegSvcs.exepid Process 1852 Material Attached.exe 1852 Material Attached.exe 1852 Material Attached.exe 1852 Material Attached.exe 1852 Material Attached.exe 1852 Material Attached.exe 4292 powershell.exe 4296 powershell.exe 1852 Material Attached.exe 1852 Material Attached.exe 1852 Material Attached.exe 4296 powershell.exe 3768 RegSvcs.exe 3768 RegSvcs.exe 4292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Material Attached.exepowershell.exepowershell.exeRegSvcs.exedescription pid Process Token: SeDebugPrivilege 1852 Material Attached.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 4296 powershell.exe Token: SeDebugPrivilege 3768 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid Process 3768 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Material Attached.exedescription pid Process procid_target PID 1852 wrote to memory of 4292 1852 Material Attached.exe 96 PID 1852 wrote to memory of 4292 1852 Material Attached.exe 96 PID 1852 wrote to memory of 4292 1852 Material Attached.exe 96 PID 1852 wrote to memory of 4296 1852 Material Attached.exe 98 PID 1852 wrote to memory of 4296 1852 Material Attached.exe 98 PID 1852 wrote to memory of 4296 1852 Material Attached.exe 98 PID 1852 wrote to memory of 3352 1852 Material Attached.exe 100 PID 1852 wrote to memory of 3352 1852 Material Attached.exe 100 PID 1852 wrote to memory of 3352 1852 Material Attached.exe 100 PID 1852 wrote to memory of 1228 1852 Material Attached.exe 102 PID 1852 wrote to memory of 1228 1852 Material Attached.exe 102 PID 1852 wrote to memory of 1228 1852 Material Attached.exe 102 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103 PID 1852 wrote to memory of 3768 1852 Material Attached.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kDtrwbEktsDpCd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kDtrwbEktsDpCd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA33.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1228
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD50aa83a93781c39a58f0f4323db0b3bd9
SHA11d227818b583db26f58d042ad9428f73d11cc9f0
SHA256861c4855f162b020a22faa5ec54baee54aa87f1c132cecaad145fd50573ed001
SHA512b584964d17973a3a6893c0738fcd79cf66b2add7949409619b6573f5522bd801a3b983e555eba22ea93c78365d69409ad96618aaecd24598412c4fd18310f6cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD53c529f40835665622a2a05de90345d2d
SHA1b31a4c3b17f14cdb73148328bbe96e009d766722
SHA2569fae04574a0407954b989adf0b982b8ffe498fd2789466ac990c2ee651473aff
SHA512adc01db08e9a869df5fa8954e8d349651b750185fe99f2607e07f8c9c49d2856e89a7d62980af85e93c3cc0d7a7d494e427c0fe0ed610dbcd1e75ee1263a5755